OctoPrint offers a special API key type for apps to use, the so called App Session Key. These keys have a time based
validity and are generated by OctoPrint for requesting apps.

Obtaining those keys is based on a handshake procedure backed by cryptographic signatures using RSA. OctoPrint needs to
be aware of apps and their associated public keys (this can be achieved either via entries in config.yaml or by
installing app specific plugins which implement the AppPlugin type).

Apps can be registered within OctoPrint via config.yaml by adding them to the api > apps section, using the
application’s id concatenated with its version as key, with the public key provided as item pubkey (stripped of the
BEGINRSAPUBLICKEY and ENDRSAPUBLICKEY separators and also newlines) and optionally also whether the app is
enabled or not (defaults to enabled, so can be left out if it’s not to be set to disabled explicitly).

In the example, the app com.example.my_octoprint_app in version 0.9 has been disabled (e.g. due to the key having
leaked) whereas version 1.0 is fully registered with OctoPrint and may verify app session keys.

Apps perform the handshake by first requesting a temporary key with very limited validity,
then sending a message back to OctoPrint containing their id, version, the temporary key and a signature created with their
private key over these three pieces of data. OctoPrint then tries to verify the signature and if successful unlocks the
key to be used as a fully recognized API key.

For performing the handshake a special API exists within OctoPrint for which no API key is needed which is described below.

The signature is created by concatenating the appid, appversion and key fields, separated by a : (colon),
signing the result with the app’s private key using SHA-1 and then BASE64-encoding the result, stripping newlines.